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(54) Method of establishing a secure data connection 



(57) In a method of establishing a secure data con- 
nection, a corporate computer network comprises a 
LAN to which is connected a first, second and third client 
computer. At the boundary of the corporate computer 
network is a firewall computer (hereinafter simply re- 
ferred to as the firewall'). The firewall is configured to 
prevent incoming data connections being made to the 
LAN from outside of the corporate computer network. 
As well as preventing incoming communications with 
the LAN, the firewall is also configured to control con- 
nections requested from within the corporate computer 
network to external computers. Indeed, for security pur- 
poses, the firewall is configured to require authentica- 



tion of such requests for an external connection (i.e. to 
verify who is actually making the request) prior to estab- 
lishing the external connection. This authentication is 
performed using the SSL protocol. In this case, the Java 
Secure Sockets Extension (JSSE) version of SSL is 
used. Multiple SSL sessions are used, firstly to obtain 
the necessary authentication of the relevant client com- 
puter to the firewall, and then to obtain a secure con- 
nection between the client computer and a destination 
computer. These multiple SSL sessions are set-up in a 
nested manner, the general method being applicable to 
situations where a larger number of SSL sessions are 
required. 



11 



13 



CM 
< 
O 

o 

CO 

o 

CO 
CM 



SSL2 
I 

SSL1 +--SSL1— SSL2 

I III 
socket1«--> sockeM socket 2* socket 2 

Fig.2. 



Q_ 
LU 



Printed by Jouve, 75001 PARIS (FR) 



1 



EP 1 280 300 A2 



2 



Description ^ • -■* 

[0001] This invention relates to a method of establish- 
ing a secure data connection between computing devic- 
es. More particularly, the invention relates to a method 
of establishing a secure data connection between com- 
puting devices using a secure data transfer protocol, 
such as the Secure Sockets Layer (SSL) protocol. 
[0002] The recent increase in the use of publicly ac- 
cessible computer networks, such as the Internet, for 
information exchange has resulted in an increased need 
for secure data connections across such networks. This 
is particularly evident given that there has recently been 
a large increase in E-commerce facilities on the Internet. 
Such facilities generally enable confidential business in- 
formation, financial information, and even payment re- 
quests, to be sent over publicly accessible computer 
networks. In the context of this invention, the term 'se- 
cure data connection' or 'secure data transfer session' 
is intended to mean a datapath or connection which has 
been configured to transfer data using some secure da- 
ta transfer protocol. 

[0003] The SSL protocol (sometimes called the 
Transport Level Security (TLS) protocol) is an industry 
standard method by which secure data connections or 
sessions can be established. The SSL protocol provides 
data encryption, server authentication, message integ- 
rity and optional client authentication over computer net- 
works. SSL is a so-called transport layer protocol since 
it is defined to operate on the 'sockets' level of a com- 
puter network. It will be understood by those skilled in 
the art that 'sockets' is the standard application program 
interface (API) by which data is transferred on the trans- 
port level of a computer network. As a result of SSL op- 
erating on the sockets level of a network, there must be 
an end-to-end direct connection between networked de- 
vices in order for SSL to function correctly. 
[0004] Secure data transfer sessions are generally 
established between the user's computer and the ulti- 
mate destination computer, e.g. an online banking or- 
ganisations server, or some other E-commerce server. 
No account is made of intervening devices on the net- 
work. 

[0005] According to a first aspect of the present inven- 
tion, there is provided a method of establishing a secure 
data connection between a first computer and a second 
computer over a computer network, the computer net- 
work including a third computer interconnecting the first 
and second computers, the method comprising: estab- 
lishing a first data connection between the first computer 
and the third computer; establishing, over the first data 
connection, a first secure data transfer session between 
the first computer and the third computer; in response 
to a request sent over the first secure data transfer ses- 
sion, establishing a second data connection between 
the third computer and the second computer; and es- 
tablishing, by means of the first and second data con- 
nections, a second secure data transfer session be- 



tween the first computer and the second computer. * * 
[0006] The method provides a means in which a se- 
cure data transfer session may be set up with a desti- 
nation computer (in this case the second computer) 

5 even though an intermediate device (the third computer) 
itself requires data transfer over a secure data transfer 
session. In this sense, some computer networks employ 
relay devices, sometimes referred to as 'firewalls' or 
'proxies', which control the transfer of data into, and out 

io of, private networks. In certain circumstances it may be 
desirable to make such relays 'secure' so that any re- 
quest the relay receives for making an onward connec- 
tion to some other computer has itself to be sent using 
a secure data transfer session. The method caters for 

15 such a circumstance by means of 'nesting' secure data 
transfer sessions. The method is by no means limited 
to establishing two secure data transfer sessions, and, 
in theory, an unlimited number of sessions can be nest- 
ed. 

20 [0007] Preferably, the third computer is a relay. After 
the first data connection is established, the relay com- 
puter can send a prompt message to the first computer 
requesting that a secure data transfer session be estab- 
lished. 

25 [0008] The step of establishing the second data con- 
nection between the relay and the second computer 
may be performed by means of the first computer send- 
ing a request message to the relay over the first secure 
data transfer session, the request message specifying 

30 the location or address of the second computer. 

[0009] Prior to the step of establishing the second da- 
ta connection between the relay and the second com- 
puter, the relay may perform a security check to deter- 
mine whether the second computer can be accessed, 

35 the second data connection only being established if the 
check is successful. 

[0010] The first and second secure data transfer ses- 
sions are preferably established using the SSL protocol, 
or a variant thereof. 

40 [0011] The second secure data transfer session be- 
tween the first computer and the second computer may 
be layered over the first secure data transfer session. 
The second secure data transfer session between the 
first computer and the second computer may use the 

45 first secure data transfer session as its transport layer. 
[0012] According to a second aspect of the present 
invention, there is provided a method of establishing a 
secure data connection between a first computer and a 
second computer over a computer network, the compu- 

so ter network including a third computer, the method com- 
prising: establishing a first data connection between the 
first computer and the third computer; establishing, over 
the first data connection, a first secure data transfer ses- 
sion between the first computer and the third computer; 

55 transferring an access request to the third computer 
over the first secure data transfer session, the access 
request including an address corresponding to the sec- 
ond computer; establishing a second data connection 
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between the third computer and the second computer p 
using the address supplied from the first computer; and 
establishing, by means of the first and second data con- 
nections, a second secure data transfer session be- 
tween the first computer and the second computer. 5 
[0013] According to a third aspect of the present in- 
vention, there is provided a method of establishing a se- 
cure data connection between a first computer and a 
second computer over a computer network, the compu- 
ter network including a third computer, wherein the sec- w 
ond computer is accessible by means of an address 
which is initially unknown to the third computer, the 
method comprising: establishing a first data connection 
between the first computer and the third computer; es- 
tablishing, over the first data connection, a first secure is 
data transfer session between the f i rst computer and the 
third computer; establishing a second data connection 
between the third computer and the second computer 
in response to receiving an access request from the first 
computer over the first secure data transfer session, the 20 
access request including the address of the second 
computer; and establishing, by means of the first and 
second data connections, a second secure data transfer 
session between the first computer and the second 
computer, the second secure data transfer session us- 25 
ing the first secure data transfer session as its transport 
layer. 

[0014] According to a fourth aspect of the present in- 
vention, there is provided a method of establishing a se- 
cure data connection between a first computer and a so 
second computer over a computer network, the compu- 
ter network including a firewall, wherein the second 
computer is accessible by means of an address which 
is initially unknown to the firewall, the method compris- 
ing: establishing a first data connection between the first 35 
computer and the firewall; establishing, over the first da- 
ta connection, a first secure data transfer session be- 
tween the first computer and the firewall; establishing a 
second data connection between the firewall and the 
second computer in response to receiving an access re- 40 
quest from the first computer over the first secure data 
transfer session, the access request including the ad- 
dress of the second computer; and establishing, by 
means of the first and second data connections, a sec- 
ond secure data transfer session between the first com- 45 
puter and the second computer. 
[0015] According to a fifth aspect of the present inven- 
tion, there is provided a computer program stored on 
computer usable medium comprising computer-reada- 
ble instructions for causing a host computer to perform so 
the steps of: establishing a first data connection be- 
tween the host computer and a first remote computer; 
establishing, overthe first data connection, a first secure 
data transfer session between the host computer and 
the first remote computer; in response to a request sent 55 
over the first secure data transfer session, causing the 
first remote computer to establish a second data con- 
nection between the first remote computer and a second 



remote computer; and establishing, by means of the first 
and second data connections, a second secure data 
transfer session between the host computer and the 
second remote computer. 

[001 6] In this sense, the term 'remote computer* is in- 
tended to mean a computer which is physically separat- 
ed from the host computer by means of a network link, 
for example, an Internet connection. 
[0017] According to a sixth aspect of the present in- 
vention, there is provided a computer network compris- 
ing: at least one client computer; and a relay for control- 
ling data flow between the or each client computer and 
an external computer network, wherein the or each cli- 
ent computer is configured to: establish a first data con- 
nection with the relay; establish, overthe first data con- 
nection, a first secure data transfer session between the 
client computer and the relay; establish a second data 
connection between the relay and a computer forming 
part of the external computer network by means of send- 
ing a data connection request from the client computer 
to the relay using the first secure data transfer session; 
and establishing, by means of the first and second data 
connections, a second secure data transfer session be- 
tween the client computer and the computer forming 
part of the external computer network. 
[0018] The invention will now be described, by way of 
example, with reference to the accompanying drawings 
in which: 

Figure 1 is a block diagram showing a corporate 
computer network connected to an Internet server; 

Figure 2 illustrates the processes running on the 
computer network represented in Figure 1 ; 

Figure 3 is a block diagram showing the corporate 
computer network of Figure 1 connected to a further 
corporate computer network; and 

Figure 4 illustrates the processes running on the 
computer network shown in Figure 3. 

[0019] Referring to Figure 1, a corporate computer 
network 2 is shown. Figure 1 also shows an Internet 
server 1 3 connected to the corporate computer network 
2 by means of a telephone line 1 2. The boundary of the 
corporate computer network 2 is represented by refer- 
ence numeral 1 . Within the corporate computer network 
2 is a LAN 3 to which is connected first, second and third 
client computers 5, 7, and 9. At the boundary 1 of the 
corporate computer network 2 is a firewall computer 11 
(hereinafter simply referred to as 'the firewall'). The fire- 
wall 11 is configured to prevent incoming data connec- 
tions being made to the LAN 3 from outside of the cor- 
porate computer network 2. As well as preventing in- 
coming communications with the LAN 3, the firewall 11 
is also configured to control connections requested from 
within the corporate computer network 2 to external 
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computers. Indeed, for security purposes, the firewall 11- 
is configured to require authentication of such requests 
for an external connection (i.e. to verify who is actually 
making the request) prior to establishing the external 
connection. This authentication is performed using the 
SSL protocol. In this case, the Java Secure Sockets Ex- 
tension (JSSE) version of SSL is used. The fact that the 
firewall 1 1 requires authentication with SSL is pre-pro- 
grammed with the first, second and third client comput- 
ers 5, 7, 9. 

[0020] The operation by which the firewall 11 allows 
a secure connection to be established is described with 
reference to Figure 2. 

[0021] Referring to Figure 2, the various layered proc- 
esses running on the overall system components of Fig- 
ure 1 are shown. In use, a user of the first client compu- 
ter 5 (to take this computer as an example) sends a re- 
quest to the firewall 11 , for accessing a particular web- 
site stored on the Internet server 13. An SSL session 
between the first client computer 5 and the Internet serv- 
er 13 is desired. The firewall 11 establishes the connec- 
tion known as 'socketl' (the two ends points of which 
are indicated by the reference numeral 1 5) between the 
first client computers and itself. As mentioned previous- 
ly, a 'socket 1 is the standard API method by which data 
is transferred on the transport layer of a computer net- 
work, e.g. using the Transport Control Protocol (TCP). 
[0022] The first client computer 5 then establishes a 
first SSL session, called SSL1 , over socketl 15. 
[0023] In the next stage, the first client computer 5 
sends its request to access the Internet server 13 by 
using SSL1 . Thus, the firewall 11 is able to verify that 
client computer 5 sent the request message. Provided 
the address specified in the request does not corre- 
spond with a pre-stored list of forbidden sites in the fire- 
wall 11 , the firewall then establishes a second connec- 
tion, i.e. between itself and the Internet server 13. This 
second connection is known as 'socket2' (the two end 
points of which are indicated by the reference numeral 
21). Once the firewall 11 has successfully set-up 
socket2 21 , the first client computer 5 can now layer a 
second SSL session, called SSL2, partly using the first 
SSL session, SSL1, as its transport layer. This is to 
some extent facilitated by the use of JSSE which, unlike 
some other SSL implementations, has an abstract view 
of "sockets'. Other implementations of SSL can also be 
used, such as OpenSSL. With JSSE, it is possible to 
open SSL sessions directly on the socket layer (as with 
all SSL implementations) and it is also possible to use 
such SSL sessions as transport layers themselves. Ac- 
cordingly, in the above example, SSL2 is established 
between the first client computers and the Internet serv- 
er 13 using SSL1 as the transport layer. Data sent using 
SSL2 is effectively tunnelled' through theSSLI session, 
although this tunnelling is transparent to the Internet 
server 13. 

[0024] It will be appreciated that, initially, the firewall 
1 1 does not require knowledge of the address of the In- 



' temet server 13. Once 'a~ secure connection is estab- 
lished between the client computer 5 and the firewall 11 
(using SSL1) and the required authentication complet- 
ed, the client computers sends its request to access the 

5 Internet server 13 over the SSL1 connection. This re- 
quest may include the address of the Internet server 13, 
and so, at this time, the firewall 11 can proceed to es- 
tablish a connection with the Internet server 13. The sec- 
ond secure session (SSL2) between the client computer 

10 5 and the Internet server 13 can then be layered over 
the first secure session (SSL1 ). 
[0025] The principle of operation is readily applicable 
to situations where multiple firewalls are employed. A 
second embodiment is shown in Figure 3. Figure 3 is 

'5 identical to Figure 1 , with the exception that the desti- 
nation computer 47 is not an Internet server but part of 
a different corporate network 43 having its own firewall 
45 (hereinafter referred to as "the second firewall"). As 
with firewall 11 , the second firewall 45 does not gener- 

20 ally allow inbound access to the corporate network 43. 
However, the second firewall 45 does permit inbound 
access if an SSL session is set up, and data is sent using 
the SSL session. 

[0026] The fact that the firewalls 11, 45 require au- 

25 thentication with SSL is pre-programmed with the first, 
second and third client computers 5, 7, 9. In other words, 
the client computers 5, 7, 9 can be programmed to know 
that two firewalls are being used and that they both re- 
quire SSL session to be set up. 

30 [0027] Referring to Figure 4, the various layered proc- 
esses running on the system of Figure 3 are shown. The 
same initial process described above is performed i.e. 
with SSL1 and SSL2 being set up. In this case, however, 
a third connection, socket3 39, is established between 

35 a second firewall 37 and the destination computer 47. 
A third SSL session, SSL3, is invoked, which uses SSL2 
as its transport layer (which in turn uses SSL1 as its 
transport layer). Thus, data sent using SSL3 is tunnelled 
through SSL2 and SSL1 . As many SSL sessions as are 

40 required can be nested in this way in order to cater for 
any number of intervening devices which require secure 
data transfer (i.e. over a secure data transfer session). 
[0028] By using this nesting method whereby a previ- 
ous SSL session is used as the transport mechanism 

45 for transferring data using a new SSL session, no 
changes are generally required to the SSL implementa- 
tion in the client computer or the destination computer. 
The method caters for situations where it would be ad- 
vantageous to set up secure relays which only invoke 

50 on-bound connections which are first authenticated us- 
ing a secure data transfer protocol. 



Claims 

55 

1 . A method of establishing a secure data connection 
between a first computer (5) and a second compu- 
ter (13) over a computer network, the computer net- 
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• - •• ; work including a third computer (11) interconnecting * 
the first and second computers, the method com- 
prising: establishing a first data connection between 
the first computer and the third computer; establish- 
ing, over the first data connection, a first secure data 5 
transfer session between the first computer and the 
third computer; in response to a request sent over 
the first secure data transfer session, establishing 
a second data connection between the third com- 
puter and the second computer; and establishing, 10 
by means of the first and second data connections, 
a second secure data transfer session between the 
first computer and the second computer. 

2. A method according to claim 1 , wherein the third *s 
computer (11) is a relay, and wherein, after the first 
data connection is established, the relay computer 
sends a prompt message to the first computer (5) 
requesting that a secure data transfer session be 
established. 20 

3. A method according to claim 2, wherein the step of 
establishing the second data connection between 
the relay (11 ) and the second computer (13) is per- 
formed by means of the first computer (5) sending 25 
a request message to the relay over the first secure 
data transfer session, the request message speci- 
fying the location or address of the second compu- 
ter. 

30 

4. A method according to claim 2 or claim 3, wherein, 
prior to the step of establishing the second data con- 
nection between the relay (11 ) and the second com- 
puter (13), the relay performs a security check to 
determine whether the second computer can be ac- 35 
cessed, the second data connection only being es- 
tablished if the check is successful. 

5. A method according to any preceding claim , where- 
in the first and second secure data transfer sessions 40 
are established using the SSL protocol. 

6. A method according to any preceding claim, where- 
in the second secure data transfer session between 
the first computer (5) and the second computer (1 3) 45 
is layered over the first secure data transfer ses- 
sion. 

7. A method according to any preceding claim, where- 
in the second secure data transfer session between so 
the first computer (5) and the second computer (1 3) 
uses the first secure data transfer session as its 
transport layer. 

8. A method of establishing a secure data connection 55 
between a first computer (5) and a second compu- 
ter (13) over a computer network, the computer net- 
work including a third computer (11), the method 



- ^ comprising:' establishing a first data connection be-- ~ 

tween the first computer and the third computer; es- 
tablishing, over the first data connection, a first se- 
cure data transfer session between the first compu- 
ter and the third computer; transferring an access 
request to the third computer over the first secure 
data transfer session, the access request including 
an address corresponding to the second computer; 
establishing a second data connection between the 
third computer and the second computer using the 
address supplied from the first computer; and es- 
tablishing, by means of the first and second data 
connections, a second secure data transfer session 
between the first computer and the second compu- 
ter. 

9. A method of establishing a secure data connection 
between a first computer (5) and a second compu- 
ter (1 3) oyer a computer network, the computer net- 
work including a third computer (11), wherein the 
second computer is accessible by means of an ad- 
dress which is initially unknown to the third compu- 
ter, the method comprising: establishing a first data 
connection between the first computer and the third 
computer; establishing, over the first data connec- 
tion, a first secure data transfer session between 
the first computer and the third computer; establish- 
ing a second data connection between the third 
computer and the second computer in response to 
receiving an access request from the first computer 
over the first secure data transfer session, the ac- 
cess request including the address of the second 
computer; and establishing, by means of the first 
and second data connections, a second secure da- 
ta transfer session between the first computer and 
the second computer, the second secure data 
transfer session using the first secure data transfer 
session as its transport layer. 

10. A method of establishing a secure data connection 
between a first computer (5) and a second compu- 
ter (1 3) over a computer network, the computer net- 
work including a firewall (11), wherein the second 
computer is accessible by means of an address 
which is initially unknown to the firewall, the method 
comprising: establishing a first data connection be- 
tween the first computer and the firewall; establish- 
ing, over the first data connection, a first secure data 
transfer session between the first computer and the 
firewall; establishing a second data connection be- 
tween the firewall and the second computer in re- 
sponse to receiving an access request from the first 
computer over the first secure data transfer ses- 
sion, the access request including the address of 
the second computer; and establishing, by means 
of the first and second data connections, a second 
secure data transfer session between the first com- 
puter and the second computer. 
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11 ^A'^computer- program-stored on< computer usable 
medium comprising computer-readable instruc- 
tions for causing a host computer (5) to perform the 
steps of: establishing a first data connection be- 
tween the host computer and a first remote compu- 5 
ter(11); establishing, over the first data connection, 
a first secure data transfer session between the 
host computer and the first remote computer; in re- 
sponse to a request sent over the first secure data 
transfer session, causing the first remote computer 10 
to establish a second data connection between the 
first remote computer and a second remote compu- 
ter (13); and establishing, by means of the first and 
second data connections, a second secure data 
transfer session between the host computer and the 15 
second remote computer. 

12. A computer network comprising: at least one client 
computer (5, 7, 9); and a relay (11) for controlling 
data flow between the or each client computer and 20 
an external computer network (43), wherein the or 
each client computer is configured to: establish a 
first data connection with the relay; establish, over 
the first data connection , a first secure data transfer 
session between the client computer and the relay; 25 
establish a second data connection between the re- 
lay and a computerforming part of the external com- 
puter network by means of sending a data connec- 
tion request from the client computer to the relay 
using the first secure data transfer session; and es- 30 
tablishing, by means of the first and second data 
connections, a second secure data transfer session 
between the client computer and the computer 
forming part of the external computer network. 
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